ACS > User Configuration

Similar Questions

• Unable to connect wireless, "ACS user exceeded max sessions" users

  Some corporate users are unable to connect to the wireless company.

  On the WLC, I get the following logs:

  Authentication failure AAA for UserName:dto029 user Type: USER WLAN

  The GBA, I get the error:

  Authentic doesn't have a default group for ACS user exceeded max sessions (by default) 192.168.47.46 DTO029......

  That means "user ACS exceeded max Sessions? How can I solve this problem? Connection problem faces few users, while others are able to connect.

  Corporate SSID, Session Timeout & Client Exclusion is not enabled. The WLC version is 7.0.98.0 and the version of the CSA 4.2.0.124

  The problem is solved the ACS is restarted. Is there a permanent solution?

  Thanks in advance.

  Hello

  the error means that the users belong to the ACS Group (or the user themselves) has a "max session" setting, as described here:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp826493

  .. and the user exceeds this limit.

  ACS can indeed limit the number of concurrent sessions for the same user name; This counter is based on the RADIUS account management information received from the AAA client: the session counter is increased when receiving a 'Start' accounting and it is decreased when you receive a "Stop" on accounting package.

  ACS for a reason if any don't receive an Acct-Stop, it won't reduce the number of session, so it may happen that your users exceed the max concurrent sessions allowed indeed.

  You can check the active sessions on the "users" ACS report:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp680304

  If you restart ACS, this info is reset, so everything will work again, as you say; as an alternative, you can also use the options 'Purge logged in users' on the logged users page, but it would be wiser to really solve this problem by checking if... :

  -do you really need the config of max sessions? Otherwise, you can simply disable this on users/groups configuration

  -If you need for this limitation and the problem is related to the session that overlap, which means that the WLC should not send the Acct-Stop because there is always a session active and a new one is created at the same time, you can consider increasing the number of maximum session.

  HTH,

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• What is the "User Configuration" password that is requested after the update?

  OSX makes an update last night (I'm on 10.11.3) and after it reboot it asked me password "User Configuration", see picture below. I am aware that you can just restart workaround - but as we have seen repeatedly in our office now, we would like to know exactly why it's happening.

  Can anyone confirm that this is a bug?

  

  Just press Command + Option + command + DELETE keys and it will switch to full name of user and password.

• Display fields in the User Configuration

  Good day to all.

  In the configuration of the interface, we have the user configuration option to define fields that appears when you configure individual users.  When you go to User Configuration and click on a letter/number in the "list users starting with the letter /:" section, is possible to configure the display in the right pane which now shows just

  User	Status	Group	Network access profile

  We do not NAP is a useless field for us.  I want to set it up for one of our pre-defined user configuration fields.

  Thank you

  Dwane

  Dwane,

  This view is not configurable. It may be a feature request.

  Thank you

  ~ JG

  Note the useful messages

• ACS - the configuration list

  Hello

  How can I list the configuration applied to all users and group on ACS (in a single file)? There are about 300 users.

  Basically, I need information on the maximum sessions per user (may be on a .txt or .csv file).

  I think that this information is available on the files generated by the backup. But I don't know if it is readable.

  Thank you

  Marcelo

  As such, there is no GBA tools with which you can get this information from the report.

  But you can contact Extraxi (www.extraxi.com) and see if they can help you with what you are trying to reach.

• Connection 12:00 ACS DNS configuration does not resolve the address

  Hello

  I'm trying to configure the ACS with AD in the identity store but spin the question.

  I enter the AD domain name and the user name and the password and click on the button "Test connection" and receive a DNS error indicating that he "cannot resolve network address.

  I connected to the CLI and test from there domain name and it works very well.

  I am confused any help would be grateful.

  Thank you.

  Hi André,.

  In the configuration of Active Directory, make sure that you have entered the full domain name. With this access to the ACS through SSH connection and make sure the time zone and the time the GBA and the AD is the same thing and make sure that the ntp server are configured on the CLI of ACS.

  Here are the steps to do:

  Step 1: Set the time on the ACS corresponding to AD. Type the command "clock {game} [month day hh:min:ss yyyy]."

  Step 2: Configure the time zone. Type the command in the configuration mode ' clock timezone (timezone).

  Step 3: Configure the ntp server. Type "ntp server (address IP/hostname).

  Kind regards

  Kush

• "Ghost" ACS users

  I'm trying to clean up our ACS database, using csutil-i and removing users. I have a group that says ' 98 Group (29 users) ", but when I click the 'users in group' button on the group configuration screen there is no user posted, and if I use csutil - you to empty the list of users, it lists group 98 but with no user under him.

  Also, I tried compact the database using twice csutil - d - n-l q and had no luck.

  We saw this or do you have any ideas on how I can remove those users who seem not to be there?

  Make sure that you back up the db first... then try this.

  Change the dump.txt and locate groups with a number of users. Each group has a record of # #PROFILEN (where N is 0 to 500).

  The default group is the profile 0 and so on.

  You will see a "number of users:"that should be a zero for groups with no user. "

  To check things, searching for references to this group. For example, if it was 5 with the problem profile, search for "PROFILE: 5. Is that all users (should not be one) who think that they are still assigned to this group. is actually the character TAB control - csutil uses tabs as delimiters.

  Good luck!

• The ACS user groups

  I have a problem.

  We have 2 groups that are created in ACS, group 1: access Ganymede and 2:Radius Access group. Group 1 has the people that have been created on the server ACS itself. The 2nd group is dynamic to users who are enabled access through Manager users for domains. We do not want to have the 2nd group in order to access our routers and switches with their Accounts of Microsoft, they can now, at least insofar as, at the prompt to activate it. I wish I had 2 completely independent from the other groups. Our group 1 is used only for our administrators to have access to all of our network devices.

  I'm sure some type of filtering or to a group of addresses IP could be implemented on GBA, but I'm not sure where, if this is the case.

  Can someone please!

  Thank you!

  Matt

  You must set up Network Access Restrictions (NAR), group 2 to not be able to access the routers/switches to restrict.

  Make sure the Group and level NAR is checked under the Interface of configuration - Advanced Options. Then go under Group 2, NAR section, check the box "Set IP access restrictions", select Table sets 'Appeal denied Points', and then select each of the routers/switches, using a * for the Port and address and add them to the table.

  It doesn't matter that in Group 2 will refuse to authenticate on one of the routers/switches.

• MT42: HP Easy Shell - allow user configuration changes

  Hello

  We use HPDM to capture and deploy images of Thin Clients HP MT42 Mobile with Windows Embedded 7 HP easy set up shell. The enhanced write filter is configured, so no user changes cannot be saved.

  This works very well for us, but now we want to allow users to keep their wireless settings.

  We allow them to configure wireless networks, but of course, these changes are lost after each reboot.

  I know that you can work with the exclusions in the write filter, but I can see this goes only for files and folders.

  How can we ensure that these changes made by users wireless are persistent?

  For UWF, please follow the steps below.

  1. Add the following path in the file Exclusion list
     C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\
  2. Add the registry path in registry Exclusion list
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WlanSvc\Interfaces

  FBWF, please follow the steps below.

  1. Add the following path in the file Exclusion list
     C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\
  2. Disable FBWF and create a file .reg with the following content:

  Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RegFilter\Parameters\MonitoredKeys\5] "" ="HKLM ClassKey. "FileNameForSaving"="_Wifi.RGF." 'RelativeKeyName '=' Software\\Microsoft\\WlanSvc\\Interfaces. '

• Power as an XP user configuration

  Hello!

  I would like to change my configuration of power under XP Pro SP2 as a normal user without administrator rights. Of course, I have to use the tool, but this works only in administrator accounts.

  Any ideas?

  See you soon

  Lutz

  Hello

  Well, in my opinion you can t he change without administrator rights. In this case, your user accounts have rights.
  As far as I know the user with the admin (Administrator) rights must log on to your device. Then, you choose the power saver properties. There is a Security tab.
  The option control must be marked to allow under your username.

  Good bye

• Several downloadable ACLs by ACS user group

  It is possible to map several downloadable ACLs to a single user or group of users use ASA and ACS?

  For example, you have an ACL controlling access to servers (ACL A) and another ACL (ACL B) internet access. Is it possible to assign several ACL to a group of users, such as user group can only access the servers, while the user group B can access servers and internet (ACL A + B ACL)?

  Thank you and best regards.

  George,

  The user and group settings only would allow you to select only a single instance of DACL list at once.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#configuringtheserverwitfddhias

  Kind regards

  Jousset

  The rate of useful messages-

• ACS - user passwords can be changed with LOCAL database

  Hi all.

  I have a Cisco ACS and I use the local user database.

  Is there a mechanism to allow the user to change his or her password?

  Thank you

  Michele

  I assume, you are referring to the ACS NT/W2k, if yes, depending on what version of GBA, you have, please choose the URL below and select the link to Setup variable user password.

  That should help you.

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/index.htm

  Thank you

  Christophe

• ACS redundancy configuration

  Hi all

  I need to set up a new CAs as ACS secondary

  (1) that we have therefore need to configure the new ip address of the ACS server on all switches?

  (2) if the primary acs is disconnected so how high will work as primary?

  Thank you & best regards

  Hi Adam,.

  (1) Yes, you must configure the IP address of all RADIUS servers on your switches so that they can be authenticated by the servers of Ganymede according to group aaa of the device to the network. The two ACS servers in a cluster do not share a virtual IP address.

  (2) if the primary ACS is disconnected then it will not work as a primary school. What concerns the rest of the ACS primary school which sank. You will not be able to make most of the changes without return to the deployment options and return to Local Mode or promote on primary.

  Local mode means that your data will be removed an existing cluster. Switch to the main ways that the primary and secondary servers reverse roles. What you would do in general during a break is to work in Local Mode and when the primary is restored, it could save the secondary back to the primary to be synchronized with the primary.

  If you want to save changes to the secondary image (Server B) that have been performed then the primaries have declined (Server A), you must turn primary with Promote to primary B, add as secondary and after the sync switch roles between them by promoting A main.

• Cisco ACS user password change?

  Hi all

  Even if I don't check "Change Enable by PEAP password" setting on Cisco ACS, when a user tries to log on to the wireless network, whose domain password is going to expire, receives a popup on Windows XP, saying that their password is about to expire?

  Is this normal?

  PS: Check the screenshot attached.

  ACS is not able to send these messages for wireless users.

  He sends the AD.

• AAA - ACS - users authenticate to different NDG

  Hello...

  We have an ACS appliance integrated with MS AD and the users are authenticated successfully.

  Our requirement is that we have 3 departments with 20 switches each. I created 3 (NDG) network device groups for each Department in ACS with 20 switches each.

  Now, if I create a user, it can open on the switches on the outskirts all 3 of the Department, since it is under the same ACS.

  I want a particular user to authenticate only with his Ministry associated with NDG.

  Hope my Question is simple... Please forward your comments.

  Thank you very much

  Jafar

  Restrictions on access network (OAN) will work in this scenario. Best approach will be creating groups of distinct users for each Department and then enable NAR shared in the group properties, and select appropriate service of NDG in order to restrict access to these user groups.

  For example: user group Dept has access will be denied to NDG from Dept B and C according to the choice and likewise NAR can be applied to the rest of the user groups.

  Hope this helps

  Ahmed